Concerns and Implications - absentee-neptune/Senior-Capstone GitHub Wiki

Ethical Constraints and Implications

With our project there are a few ethical implications that we need to discuss, primarily involving the handling and outlining of data. When looking at a process such as the generation of logs on a network Ethical dilemmas come up when looking at something like scope. This gets into the discussion of what can we ethically include and exclude from the discussion of what data can be monitored on our network. In this section, the team will talk about the ways that we are working to handle the ethical scope and ethical implications of our projects.

First, to understand the ethics of our project, we need to discuss the scope of our project. What are we looking for, what does this mean in terms of web traffic and how can we maintain our scope? Let’s begin with the first question, what are we looking for? We are simply looking for any activity on our network that could be considered abnormal or unusual for a standard home network or small business environment. Since both the home network and small businesses have begun to merge at the start of COVID-19, we want to begin looking at what threats, pieces of software, and connections could be pertinent to the home business environment. On a more technical level, we are looking for connections that may not be normal. An example of this could be a random connection to a locally hosted server from a foreign outside source or an unauthorized and unexpected scan on the network. These would be anomalies that would be cause for alarm inside a business and a home network alike.

So the question then becomes, how do we limit our scope to encapsulate only the information that we are looking for? This surprisingly is much easier than thought. Since we are using a SIEM, we can remove normal logs from our view and limit our exposure to maintain a level of privacy with the residents of our apartment. Additionally, with the introduction of the webserver, we can monitor the traffic in the network being routed to that system and the abnormality of logs on our system. All of this information however still has implications that directly affect the apartment residents. To look at the ethical implications, we should look at a case study. A case study performed by Frances S. Grodzinsky showed the likelihood of people thinking about the monitoring of the internet and a University network. When questioning people about the ethics of monitoring only 17% said that it was unethical to monitor a network and only 1% said it violates trust if it is discussed ahead of time.

In terms of other ethical implications of our project, we wanted to assess the security of third party software used for services such as online schooling. These include software like Zoom, Google Classroom, and Inspace. This however raises another question about the ethics of testing software for vulnerabilities. If you are even looking at the software using an external network monitoring software, are you violating an agreement between you and the company? These are important questions to ask when looking at the ethics of our project. To look at these, there are different objectives to consider.

If we find a vulnerability and can prove the existence of a significant problem, should we tell the company directly, publish our findings, or make a post on a database site for them to see. When looking at these we need to assess if it is better to try to cash in on a bug bounty or should we try to complete this work for the company. An article discussing exactly this had an interesting perspective, stating, “These points resonate with the classical but still ongoing debates about software vulnerability markets in general. Thus, depending on a viewpoint, the societal reward may also be a liability: instead of working toward the ultimate goal of improving software quality, bug bounties may increase the stockpiling tendency and the exploitation of vulnerabilities,” (Ruohonen & Allodi, 2018). From this perspective and our own, I think the ideal way to handle the discovery of a vulnerability would be to access the company directly to inform them of the vulnerability. This way they can patch it without an uptick in exploits and then provide the information to customers as needed.